products/SUSE_ALP_Standard
9
0
Fork 1
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity
a46b156191
SUSE_ALP_Standard/patchinfo.20240821152252846955.269002615871826/_patchinfo

346 lines
15 KiB
Plaintext
Raw Blame History

<patchinfo incident="59">
<!-- generated from request(s) 341235 -->
<issue tracker="bmo" id="215997"/>
<issue tracker="bmo" id="671060"/>
<issue tracker="bmo" id="676100"/>
<issue tracker="bmo" id="676118"/>
<issue tracker="bmo" id="864039"/>
<issue tracker="bmo" id="1325335"/>
<issue tracker="bmo" id="1548723"/>
<issue tracker="bmo" id="1573097"/>
<issue tracker="bmo" id="1615555"/>
<issue tracker="bmo" id="1748105"/>
<issue tracker="bmo" id="1753026"/>
<issue tracker="bmo" id="1757758"/>
<issue tracker="bmo" id="1774659"/>
<issue tracker="bmo" id="1775046"/>
<issue tracker="bmo" id="1780432"/>
<issue tracker="bmo" id="1784253"/>
<issue tracker="bmo" id="1793811"/>
<issue tracker="bmo" id="1813401"/>
<issue tracker="bmo" id="1818766"/>
<issue tracker="bmo" id="1822450"/>
<issue tracker="bmo" id="1822935"/>
<issue tracker="bmo" id="1822936"/>
<issue tracker="bmo" id="1826451"/>
<issue tracker="bmo" id="1826652"/>
<issue tracker="bmo" id="1827224"/>
<issue tracker="bmo" id="1827303"/>
<issue tracker="bmo" id="1827444"/>
<issue tracker="bmo" id="1829112"/>
<issue tracker="bmo" id="1830415"/>
<issue tracker="bmo" id="1830978"/>
<issue tracker="bmo" id="1831552"/>
<issue tracker="bmo" id="1833270"/>
<issue tracker="bmo" id="1834851"/>
<issue tracker="bmo" id="1835357"/>
<issue tracker="bmo" id="1835425"/>
<issue tracker="bmo" id="1835828"/>
<issue tracker="bmo" id="1836781"/>
<issue tracker="bmo" id="1836925"/>
<issue tracker="bmo" id="1837431"/>
<issue tracker="bmo" id="1837617"/>
<issue tracker="bmo" id="1837987"/>
<issue tracker="bmo" id="1839327"/>
<issue tracker="bmo" id="1839795"/>
<issue tracker="bmo" id="1839992"/>
<issue tracker="bmo" id="1840429"/>
<issue tracker="bmo" id="1840437"/>
<issue tracker="bmo" id="1840505"/>
<issue tracker="bmo" id="1840510"/>
<issue tracker="bmo" id="1841029"/>
<issue tracker="bmo" id="1842928"/>
<issue tracker="bmo" id="1842932"/>
<issue tracker="bmo" id="1842935"/>
<issue tracker="bmo" id="1842937"/>
<issue tracker="bmo" id="1847845"/>
<issue tracker="bmo" id="1848183"/>
<issue tracker="bmo" id="1849077"/>
<issue tracker="bmo" id="1849471"/>
<issue tracker="bmo" id="1850598"/>
<issue tracker="bmo" id="1850982"/>
<issue tracker="bmo" id="1851044"/>
<issue tracker="bmo" id="1851049"/>
<issue tracker="bmo" id="1852011"/>
<issue tracker="bmo" id="1852179"/>
<issue tracker="bmo" id="1853737"/>
<issue tracker="bmo" id="1854438"/>
<issue tracker="bmo" id="1854439"/>
<issue tracker="bmo" id="1854795"/>
<issue tracker="bmo" id="1855318"/>
<issue tracker="bmo" id="1858241"/>
<issue tracker="bmo" id="1860670"/>
<issue tracker="bmo" id="1861265"/>
<issue tracker="bmo" id="1861728"/>
<issue tracker="bmo" id="1863605"/>
<issue tracker="bmo" id="1865450"/>
<issue tracker="bmo" id="1867408"/>
<issue tracker="bmo" id="1869378"/>
<issue tracker="bmo" id="1869408"/>
<issue tracker="bmo" id="1869642"/>
<issue tracker="bmo" id="1870673"/>
<issue tracker="bmo" id="1871152"/>
<issue tracker="bmo" id="1871219"/>
<issue tracker="bmo" id="1871630"/>
<issue tracker="bmo" id="1871631"/>
<issue tracker="bmo" id="1873095"/>
<issue tracker="bmo" id="1873296"/>
<issue tracker="bmo" id="1874017"/>
<issue tracker="bmo" id="1874111"/>
<issue tracker="bmo" id="1874458"/>
<issue tracker="bmo" id="1874937"/>
<issue tracker="bmo" id="1875356"/>
<issue tracker="bmo" id="1875506"/>
<issue tracker="bmo" id="1875965"/>
<issue tracker="bmo" id="1876179"/>
<issue tracker="bmo" id="1876390"/>
<issue tracker="bmo" id="1876800"/>
<issue tracker="bmo" id="1877344"/>
<issue tracker="bmo" id="1877730"/>
<issue tracker="bmo" id="1879513"/>
<issue tracker="bmo" id="1879945"/>
<issue tracker="bmo" id="1880857"/>
<issue tracker="bmo" id="1881027"/>
<issue tracker="bmo" id="1884276"/>
<issue tracker="bmo" id="1884444"/>
<issue tracker="bmo" id="1885404"/>
<issue tracker="bmo" id="1887996"/>
<issue tracker="bmo" id="1889671"/>
<issue tracker="bmo" id="1890069"/>
<issue tracker="bmo" id="1893029"/>
<issue tracker="bmo" id="1893162"/>
<issue tracker="bmo" id="1893334"/>
<issue tracker="bmo" id="1893404"/>
<issue tracker="bmo" id="1893752"/>
<issue tracker="bmo" id="1894572"/>
<issue tracker="bmo" id="1895012"/>
<issue tracker="bmo" id="1895032"/>
<issue tracker="bmo" id="1896353"/>
<issue tracker="bmo" id="1897487"/>
<issue tracker="bmo" id="1898074"/>
<issue tracker="bmo" id="1898627"/>
<issue tracker="bmo" id="1898825"/>
<issue tracker="bmo" id="1898830"/>
<issue tracker="bmo" id="1898858"/>
<issue tracker="bmo" id="1899593"/>
<issue tracker="bmo" id="1899759"/>
<issue tracker="bmo" id="1899883"/>
<issue tracker="bmo" id="1900413"/>
<issue tracker="bmo" id="1901080"/>
<issue tracker="bmo" id="1901932"/>
<issue tracker="bmo" id="1905691"/>
<issue tracker="bnc" id="1214980">mozilla-nss: FTBFS because expired certificate since 2023-09-04</issue>
<issue tracker="bnc" id="1216198">VUL-0: CVE-2023-5388: mozilla-nss: timing attack against RSA decryption</issue>
<issue tracker="bnc" id="1222804">[FIPS 140-3][NSS] Disable DSA</issue>
<issue tracker="bnc" id="1222807">[FIPS 140-3][NSS] Remove unsafe prime group</issue>
<issue tracker="bnc" id="1222811">[FIPS 140-3][NSS] RNG checks</issue>
<issue tracker="bnc" id="1222813">[FIPS 140-3][NSS] TLS 1.2 KDF</issue>
<issue tracker="bnc" id="1222814">[FIPS 140-3][NSS] using only allowed primitived IKE KDF/HMAC combinations</issue>
<issue tracker="bnc" id="1222821">[FIPS 140-3][NSS] Only use approved hash functions</issue>
<issue tracker="bnc" id="1222822">[FIPS 140-3][NSS] Use long enough key material</issue>
<issue tracker="bnc" id="1222826">[FIPS 140-3][NSS] KDF compliance</issue>
<issue tracker="bnc" id="1222828">[FIPS 140-3][NSS] Powerup selftest not in compliance</issue>
<issue tracker="bnc" id="1222830">[FIPS 140-3][NSS] GCM Usage not in compliance</issue>
<issue tracker="bnc" id="1222833">[FIPS 140-3][NSS] block non approved KDFs</issue>
<issue tracker="bnc" id="1222834">[FIPS 140-3][NSS] RSA 1024 considerations</issue>
<issue tracker="bnc" id="1223724">[SECURITY][FIPS] Firefox won't start on 15-SP4 and 15-SP5 if master password is set</issue>
<issue tracker="bnc" id="1224113">[FIPS 140-3] [NSS] Consider adding the CKM_ECDH1_COFACTOR_DERIVE to the approved mechanisms list.</issue>
<issue tracker="bnc" id="1224115">[FIPS 140-3] [NSS] Consider adding CKM_NSS_AES_KEY_WRAP and CKM_NSS_AES_KEY_WRAP_PAD</issue>
<issue tracker="bnc" id="1224116">[FIPS 140-3] [NSS] NSC_GenerateKey Mechanism</issue>
<issue tracker="bnc" id="1224118">[FIPS 140-3] [NSS] Block ECDH+ANS X9.63</issue>
<issue tracker="bnc" id="1227918">[security][fips] openjdk crash in FIPS mode</issue>
<issue tracker="cve" id="2023-5388"/>
<issue tracker="jsc" id="PED-6358"/>
<packager>MSirringhaus</packager>
<rating>critical</rating>
<category>security</category>
<summary>Security update for mozilla-nss</summary>
<description>This update for mozilla-nss fixes the following issues:
- update to NSS 3.101.2
- ChaChaXor to return after the function
- update to NSS 3.101.1
- missing sqlite header.
- GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
- update to NSS 3.101
- add diagnostic assertions for SFTKObject refcount.
- freeing the slot in DeleteCertAndKey if authentication failed
- fix formatting issues.
- Add Firmaprofesional CA Root-A Web to NSS.
- remove invalid acvp fuzz test vectors.
- pad short P-384 and P-521 signatures gtests.
- remove unused FreeBL ECC code.
- pad short P-384 and P-521 signatures.
- be less strict about ECDSA private key length.
- Integrate HACL* P-521.
- Integrate HACL* P-384.
- memory leak in create_objects_from_handles.
- ensure all input is consumed in a few places in mozilla::pkix
- SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
- clean up escape handling
- Use lib::pkix as default validator instead of the old-one
- Need to add high level support for PQ signing.
- Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
- SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
- Allow for non-full length ecdsa signature when using softoken
- Modification of .taskcluster.yml due to mozlint indent defects
- Implement support for PBMAC1 in PKCS#12
- disable VLA warnings for fuzz builds.
- remove redundant AllocItem implementation.
- add PK11_ReadDistrustAfterAttribute.
- Clang-formatting of SEC_GetMgfTypeByOidTag update
- Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
- sftk_getParameters(): Fix fallback to default variable after error with configfile.
- Switch to the mozillareleases/image_builder image
- update to NSS 3.100
- merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations.
- remove ckcapi.
- avoid a potential PK11GenericObject memory leak.
- Remove incomplete ESDH code.
- Decrypt RSA OAEP encrypted messages.
- Fix certutil CRLDP URI code.
- Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
- Add ability to encrypt and decrypt CMS messages using ECDH.
- Correct Templates for key agreement in smime/cmsasn.c.
- Moving the decodedCert allocation to NSS.
- Allow developers to speed up repeated local execution of NSS tests that depend on certificates.
- update to NSS 3.99
- Removing check for message len in ed25519
- add ed25519 to SECU_ecName2params.
- add EdDSA wycheproof tests.
- nss/lib layer code for EDDSA.
- Adding EdDSA implementation.
- Exporting Certificate Compression types
- Updating ACVP docker to rust 1.74
- Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552
- Add NSS_CMSRecipient_IsSupported.
- update to NSS 3.98
- CVE-2023-5388: Timing attack against RSA decryption in TLS
- Certificate Compression: enabling the check that the compression was advertised
- Move Windows workers to nss-1/b-win2022-alpha
- Remove Email trust bit from OISTE WISeKey Global Root GC CA
- Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss`
- Certificate Compression: Updating nss_bogo_shim to support Certificate compression
- TLS Certificate Compression (RFC 8879) Implementation
- Add valgrind annotations to freebl kyber operations for constant-time execution tests
- Set nssckbi version number to 2.66
- Add Telekom Security roots
- Add D-Trust 2022 S/MIME roots
- Remove expired Security Communication RootCA1 root
- move keys to a slot that supports concatenation in PK11_ConcatSymKeys
- remove unmaintained tls-interop tests
- bogo: add support for the -ipv6 and -shim-id shim flags
- bogo: add support for the -curves shim flag and update Kyber expectations
- bogo: adjust expectation for a key usage bit test
- mozpkix: add option to ignore invalid subject alternative names
- Fix selfserv not stripping `publicname:` from -X value
- take ownership of ecckilla shims
- add valgrind annotations to freebl/ec.c
- PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
- Update zlib to 1.3.1
- update to NSS 3.97
- make Xyber768d00 opt-in by policy
- add libssl support for xyber768d00
- add PK11_ConcatSymKeys
- add Kyber and a PKCS#11 KEM interface to softoken
- add a FreeBL API for Kyber
- part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
- part 1: add a script for vendoring kyber from pq-crystals repo
- Removing the calls to RSA Blind from loader.*
- fix worker type for level3 mac tasks
- RSA Blind implementation
- Remove DSA selftests
- read KWP testvectors from JSON
- Backed out changeset dcb174139e4f
- Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
- Wrap CC shell commands in gyp expansions
- update to NSS 3.96.1
- Use pypi dependencies for MacOS worker in ./build_gyp.sh
- p7sign: add -a hash and -u certusage (also p7verify cleanups)
- add a defensive check for large ssl_DefSend return values
- Add dependency to the taskcluster script for Darwin
- Upgrade version of the MacOS worker for the CI
- update to NSS 3.95
- Bump builtins version number.
- Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert.
- Remove 4 DigiCert (Symantec/Verisign) Root Certificates
- Remove 3 TrustCor Root Certificates from NSS.
- Remove Camerfirma root certificates from NSS.
- Remove old Autoridad de Certificacion Firmaprofesional Certificate.
- Add four Commscope root certificates to NSS.
- Add TrustAsia Global Root CA G3 and G4 root certificates.
- Include P-384 and P-521 Scalar Validation from HACL*
- Include P-256 Scalar Validation from HACL*.
- After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level
- Add means to provide library parameters to C_Initialize
- clang format
- add OSXSAVE and XCR0 tests to AVX2 detection.
- Typo in ssl3_AppendHandshakeNumber
- Introducing input check of ssl3_AppendHandshakeNumber
- Fix Invalid casts in instance.c
- update to NSS 3.94
- Updated code and commit ID for HACL*
- update ACVP fuzzed test vector: refuzzed with current NSS
- Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants
- NSS needs a database tool that can dump the low level representation of the database
- declare string literals using char in pkixnames_tests.cpp
- avoid implicit conversion for ByteString
- update rust version for acvp docker
- Moving the init function of the mpi_ints before clean-up in ec.c
- P-256 ECDH and ECDSA from HACL*
- Add ACVP test vectors to the repository
- Stop relying on std::basic_string&lt;uint8_t&gt;
- Transpose the PPC_ABI check from Makefile to gyp
- Update to NSS 3.93:
- Update zlib in NSS to 1.3.
- softoken: iterate hashUpdate calls for long inputs.
- regenerate NameConstraints test certificates (bsc#1214980).
- update to NSS 3.92
- Set nssckbi version number to 2.62
- Add 4 Atos TrustedRoot Root CA certificates to NSS
- Add 4 SSL.com Root CA certificates
- Add Sectigo E46 and R46 Root CA certificates
- Add LAWtrust Root CA2 (4096)
- Remove E-Tugra Certification Authority root
- Remove Camerfirma Chambers of Commerce Root.
- Remove Hongkong Post Root CA 1
- Remove E-Tugra Global Root CA ECC v3 and RSA v3
- Avoid redefining BYTE_ORDER on hppa Linux
- update to NSS 3.91
- Implementation of the HW support check for ADX instruction
- Removing the support of Curve25519
- Fix comment about the addition of ticketSupportsEarlyData
- Adding args to enable-legacy-db build
- dbtests.sh failure in "certutil dump keys with explicit default trust flags"
- Initialize flags in slot structures
- Improve the length check of RSA input to avoid heap overflow
- Followup Fixes
- avoid processing unexpected inputs by checking for m_exptmod base sign
- add a limit check on order_k to avoid infinite loop
- Update HACL* to commit 5f6051d2
- add SHA3 to cryptohi and softoken
- HACL SHA3
- Disabling ASM C25519 for A but X86_64
- update to NSS 3.90.3
- GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
- clean up escape handling.
- remove redundant AllocItem implementation.
- Disable ASM support for Curve25519.
- Disable ASM support for Curve25519 for all but X86_64.
</description>
<package>mozilla-nss</package>
<seperate_build_arch/>
</patchinfo>
Reference in New Issue View Git Blame Copy Permalink